I do these updates and vulnerable plugin reports for the University of Missouri campus and thought I’d include them here as well.
Everyone should be updated to WordPress version 4.7 by now. If not, please do so as soon as you can. Lots of new, exciting features were added: WordPress 4.7 announcement and changelog.
If you didn’t follow Matt Mullenweg’s State of the Word this year from WordCamp US, you can watch it online (jump to 1:22:27 to see me question Matt on WordPress security issues). If you’re interested, I also wrote up my key take-aways from WordCamp: Part 1 and Part 2.
One of the big announcements from Matt was that he is taking back over as product lead for 2017 and that there will be no scheduled releases for WordPress in 2017. Instead, the core team will be focusing on a simpler, faster UX (specifically the post editor) and more power for developers. Minor point releases for bugs and security issues will be released as necessary, but large point releases will not be on a schedule.
One of the big announcements for v4.7 was the core team added multiple content endpoints for the new REST API. Unfortunately, one of those endpoints is users. This means that anyone can remotely query your site for a list of your users. Despite all of our efforts to lock down this sensitive information leakage, WordPress has added yet another way to retrieve this information. To disable this “feature”, add the code from this gist into your functions.php file in your theme.
You also might have heard quite a bit recently about the remote code execution vulnerability inside of PHPMailer which is included in WordPress core. While it is a critical vulnerability, several pieces have to align correctly in order for it to be exploited inside of WordPress. An attacker would either need to combine multiple successful attacks, or already have an admin account on the site. And if they have an admin account already, you’re already in trouble. I mention it because WordPress will be updating their version in the coming days so make sure to update as soon as it is released. More importantly, I would begin looking through your theme and plugins to see if they have included the vulnerable version. If so, I would suggest manually updating the PHPMailer version, or discontinue use of the theme/plugin until that file has been updated.
Last, but not least, the vulnerable plugins report for 20170104:
https://docs.google.com/spreadsheets/d/1It-bOSM3AR_PVjKINvCe0bhiePEgT6L1EC4Sq3UxBIQ/edit?usp=sharing